Each year brings new technological developments that improve people’s lives. Unfortunately, these advances also mean new cybersecurity threats and more attack surfaces. Indeed, as this IEEE survey infographic illustrates, Chief Information Officers and Chief Technology Officers say that their biggest challenge in 2017 will be online security threats. The following are a few concerns we face today, and what we can do to counter them.

COMPROMISED CREDENTIALS

Overview

During a breach, hackers often raid lists of users’ credentials if they can find them. Sometimes it’s their main goal; other times it’s just a part of a larger data haul. These credentials can then be used for a number of malicious scenarios, including breaking into the systems of affiliated businesses. In more basic cases, attackers may simply guess a user’s password, or use a tool to run through thousands of options.

COMPROMISED CREDENTIALS

Incident

During the holiday season of 2013, 40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information were stolen from a major retailer’s servers. Hackers had almost two weeks to harvest the data.

The intruders gained access to the retailer’s system by using stolen credentials from a third-party vendor. While the vendor’s connection to the servers was only for billing and contracts, intruders were able to exploit holes that ultimately allowed them into siloed customer data.

COMPROMISED CREDENTIALS

Threat Outlook

With so much personal data already compromised, two-factor authentication is a widely suggested option. Some variants include using cell phone location as an automatic second factor. Another idea is issuing a Common Access Card (CAC) to every citizen, like government employees use.

CROSS-SITE SCRIPTING (XSS)

Overview

XSS is an injection attack carried out on websites that accept input, but don’t properly separate data and executable code before the input is delivered back to the user’s browser. Since browsers can’t tell valid markup from attacker-controlled markup, attackers can either inject malicious code into the user’s system or extract the user’s data.

CROSS-SITE SCRIPTING (XSS)

Incident

Implemented using JavaScript, an XSS vulnerability on an online auction website allowed attackers to inject their own malicious form page via an iframe. This made the malicious URL look like it was a legitimate page hosted on the site. As users logged into what they thought was their account, their credentials could be captured in plain text. This flaw persisted for months, and it’s unclear how many users were affected.

CROSS-SITE SCRIPTING (XSS)

Threat Outlook

XSS vulnerabilities can be avoided by adopting the convention that all HTML markup must be produced by APIs and libraries that guarantee correct, context-specific encoding of data inserted into HTML markup. In many cases, developers just use HTML templating systems to generate HTML markup.

DATA BREACH

Overview

Data stored on servers is a common target in (and motivation for) many attacks. The sensitivity of the data determines how potentially damaging it is to an organization – names, addresses, credit card numbers, health information, trade secrets and intellectual property are constantly sought after.

DATA BREACH

Incident

One of “The Big Three” credit reporting agencies had its servers hacked in 2015. Attackers took the personal information of 15 million third-party cellular customers who had submitted their information for credit checks. Names, addresses and Social Security numbers were all stolen.

Because the information was particularly valuable, it appeared for sale on the dark web extremely quickly. Victims were instructed to place fraud alerts on their credit cards and were later instructed to sign up for identity theft monitoring.

DISTRIBUTED DENIAL-OF-SERVICE ATTACK

Incident

A large Domain Name System (DNS) provider suffered a three-wave distributed denial of service attack last fall. The attack was orchestrated using a weapon called the Mirai botnet, which mobilized IoT devices including digital cameras. Because of the lack of security on these devices, Mirai was able to send traffic from over 100,000 endpoints, making it twice as large as the next-closest attack on record.

Since the DNS provides a distributed directory for the internet, it’s essential to its functionality. While Twitter, Netflix, and Reddit didn’t suffer direct DDoS attacks on that day, the DNS provider’s collapse prevented their sites from functioning, making for an extremely widespread denial of service.

DISTRIBUTED DENIAL-OF-SERVICE ATTACK

Threat Outlook

Since IoT device manufacturers aren’t protecting consumers, experts are asking government regulators to step in. Ideas include minimum security standards, interoperability standards, software updates and patches, and placing code in escrow so problems can be managed if a company goes out of business.

DRONES

Overview

Drones are still very much a developing technology. As a result, they present a number of different security risks. There are many instances of them being hacked, even from long distances, but they’re also a potential vehicle for hackers to intercept or disrupt corporate communications via unsecured Wi-Fi® and Bluetooth® signals.

Please click below to listen to IEEE Senior Member Paul Kostek speak on cybersecurity and drones.

DRONES

Incident

Connected light bulbs and their linking systems have been the target of lots of experimental hacking. Recently, hackers were able to bypass the built-in safeguards against remote access. They then extracted the key that the manufacturer uses to encrypt and authenticate new firmware. By installing malicious firmware, the hackers were able to make effects like constant flickering or blackouts permanent.

What’s more, the attack is a worm, and can jump from connected device to connected device through the air. One infected bulb could potentially knock out lights in an entire city. And the worm can be delivered by drone – researchers were able to turn the lights on and off from one flying 350 meters away (roughly a quarter mile).

Please click below to listen to IEEE Senior Member Paul Kostek speak on cybersecurity and drones.

MALICIOUS INSIDERS

Overview

Despite an organization’s best effort to mitigate threats, the prospect of a rogue employee is ever-present. Current or former employees, system administrators, contractors or business partners can compromise the system for revenge or personal gain. In fairness, it is easy to misconstrue a bungling attempt to perform a routine job as “malicious” insider activity. But almost one-third are actually devious.

MALICIOUS INSIDERS

Incident

At several hospitals in East China’s Shandong Province, the personal information of over 200,000 children who had been processed for receiving vaccinations was leaked. Cell phone numbers and home addresses of parents were taken by the attackers. The data was then offered for sale online for $4,900 USD. The data was obtained in part through unauthorized access, and in part by malicious insiders who collaborated with the attackers. Parents remain worried about the potential ramifications, and in particular, a heightened risk that their children might be kidnapped.

MALICIOUS INSIDERS

Threat Outlook

Since malicious employees will always be a possibility, reducing risk falls on smart tech practices. One method is simply to reduce the number of insiders. A second is to expand the dimensions of the data, making it larger than the number of insiders.

MALWARE

Overview

Malware refers to malicious software intended to infiltrate and damage computers and networks. It comes in a variety of forms, and can be delivered in a number of ways. At its most extreme, malware can be used to erase all data on any machine that runs it.

Please click below to listen to IEEE Life Senior Member Raul Colcher speak on malware. Please note: the audio is in Portuguese but an English translation can be found here.

MALWARE

Incident

After stealing troves of data from a major motion picture company during a breach, attackers unleashed wiper malware on their way out. The variety they used destroys all data on the Windows machines it infects, then spreads itself via network file shares to attack Windows servers. It also erases the software instructions that tell computers how to operate.

Most PC malware comes wrapped in an executable “dropper” that installs it and its supporting files. That was the case with this attack, too. After spear phishing their way in, the attackers went undetected for long enough to analyze the network and hardcode the names of the company’s servers into the malware.

Please click below to listen to IEEE Life Senior Member Raul Colcher speak on malware. Please note: the audio is in Portuguese but an English translation can be found here.

MALWARE

Threat Outlook

All malware consumes power. A company in Virginia has found that the heat signature of malware’s power usage is very different from a chip’s standard operations. They’ve built a unit that sits outside the CPU and sniffs the chip’s electromagnetic leakage for power consumption patterns indicating abnormal behavior.

Please click below to listen to IEEE Life Senior Member Raul Colcher speak on malware. Please note: the audio is in Portuguese but an English translation can be found here.

RANSOMWARE

Overview

Ransomware is a specific type of malware that locks or damages a victim’s device, then demands a ransom payment to decrypt it and disappear. Victims are then forced to decide whether to pay the price, negotiate, or wait it out. With a lack of security in the IoT, “jackware” may become the next frontier of ransomware, where IoT-connected devices can be locked for ransom.

RANSOMWARE

Incident

A ransomware attack shut down a hospital in Los Angeles for almost two weeks, forcing staff to use pen and paper for record-keeping. Hackers encrypted all of the hospital’s computers and demanded over $3 million USD in Bitcoin. Though patient information and hospital records weren’t compromised, the hospital relented and paid $17,000 USD to regain access to its computers.

While paying the ransom is typically viewed as a bad practice (there’s no guarantee of getting files back and it encourages similar attacks), organizations are sometimes advised to pay the sum in order to get back to business, or in the case of a hospital, continue to provide advanced care.

RANSOMWARE

Threat Outlook

In healthcare, few steps have been taken to solve the problem. Hospitals haven’t made cybersecurity a priority in their budgets – an expert estimated that hospitals spend two percent of their budget on IT, and that security might be 10 percent of that sliver.

SPEAR PHISHING

Overview

Spear phishing is a time-tested form of attack that is centered on sending bogus emails that look authentic but actually direct the recipient to a fake website that steals confidential information, like usernames and passwords to access finances.

SPEAR PHISHING

Incident

Over the past year, a number of human rights organizations, labor unions, and journalists associated with the 2022 World Cup were targeted in a phishing campaign run out of Qatar. The attacker(s) created a fictional rights activist named Safeena Malik on Facebook, Google, LinkedIn, and Twitter, harvesting details from real accounts.

Targets received emails and social media messages from “Safeena” asking them to look at documents on Qatari human rights or offering forged requests to talk on Google Hangouts. The Hangouts links went to phishing sites crafted specifically for the targets, showing their Google avatar as part of a page mimicking a Google account login. The document links, after capturing their credentials, forwarded them to a real Google Docs document to reduce suspicion.

SPEAR PHISHING

Threat Outlook

Advanced email filters can help eliminate much of the human error that has allowed spear phishing scams to persist. These filters can detect stories, phrases, and contexts typical of phishing emails. If an email triggers one of these detectors, it would be blocked or quarantined.